Can Monitoring System State + Counting Custom Instruction Sequences Aid Malware Detection?

Signature and behavior-based anti-virus systems (AVS) are traditionally used to detect Malware. However, these AVS fail to catch metamorphic and polymorphic Malware-which can reconstruct themselves every generation or every instance. We introduce two Machine learning (ML) approaches on system state + instruction sequences – which use hardware debug data – to detect such challenging Malware. Our experiments on hundreds of Intel Malware samples show that the techniques either alone or jointly detect Malware with ≥ 99.5% accuracy.

[1]  Prabhat Mishra,et al.  RATS: Restoration-Aware Trace Signal Selection for Post-Silicon Validation , 2013, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[2]  Daniel Bilar,et al.  Opcodes as predictor for malware , 2007, Int. J. Electron. Secur. Digit. Forensics.

[3]  Ramesh Karri,et al.  NumChecker: Detecting kernel control-flow modifying rootkits by using Hardware Performance Counters , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[4]  Debdeep Mukhopadhyay,et al.  Performance Counters to Rescue: A Machine Learning based safeguard against Micro-architectural Side-Channel-Attacks , 2017, IACR Cryptol. ePrint Arch..

[5]  Ramesh Karri,et al.  A Theoretical Study of Hardware Performance Counters-Based Malware Detection , 2020, IEEE Transactions on Information Forensics and Security.

[6]  Subhasish Mitra,et al.  IFRA: Instruction Footprint Recording and Analysis for post-silicon bug localization in processors , 2008, 2008 45th ACM/IEEE Design Automation Conference.

[7]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[8]  Mahmood Fazlali,et al.  Heuristic metamorphic malware detection based on statistics of assembly instructions using classification algorithms , 2015, 2015 18th CSI International Symposium on Computer Architecture and Digital Systems (CADS).

[9]  P. Vinod,et al.  Heterogeneous Opcode Space for Metamorphic Malware Detection , 2017 .

[10]  Ramesh Karri,et al.  BRAIN: BehavioR Based Adaptive Intrusion Detection in Networks: Using Hardware Performance Counters to Detect DDoS Attacks , 2016, 2016 29th International Conference on VLSI Design and 2016 15th International Conference on Embedded Systems (VLSID).

[11]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[12]  Ramesh Karri,et al.  Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing , 2016, ACM Trans. Archit. Code Optim..

[13]  Dejan S. Milojicic,et al.  Autotuning high-level synthesis for FPGAs using OpenTuner and LegUp , 2017, 2017 International Conference on ReConFigurable Computing and FPGAs (ReConFig).

[14]  Prashant B. Swadas,et al.  Metamorphic Malware Detection Using Statistical Analysis , 2012 .

[15]  Mattia Monga,et al.  Detecting Self-mutating Malware Using Control-Flow Graph Matching , 2006, DIMVA.

[16]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[17]  Lori A. Flynn,et al.  Polymorphic malware detection and identification via context-free grammar homomorphism , 2007, Bell Labs Technical Journal.

[18]  Ramesh Karri,et al.  Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters , 2020, IEEE Transactions on Information Forensics and Security.

[19]  Salvatore J. Stolfo,et al.  Unsupervised Anomaly-Based Malware Detection Using Hardware Features , 2014, RAID.

[20]  Ramesh Karri,et al.  Are hardware performance counters a cost effective way for integrity checking of programs , 2011, STC '11.

[21]  Ali Hamzeh,et al.  A survey on heuristic malware detection techniques , 2013, The 5th Conference on Information and Knowledge Technology.